From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 91D37A034F for ; Wed, 6 May 2020 18:24:36 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 704171DA32; Wed, 6 May 2020 18:24:36 +0200 (CEST) Received: from mellanox.co.il (mail-il-dmz.mellanox.com [193.47.165.129]) by dpdk.org (Postfix) with ESMTP id 85C011DA21 for ; Wed, 6 May 2020 18:24:33 +0200 (CEST) Received: from Internal Mail-Server by MTLPINE2 (envelope-from matan@mellanox.com) with ESMTPS (AES256-SHA encrypted); 6 May 2020 19:24:28 +0300 Received: from pegasus07.mtr.labs.mlnx (pegasus07.mtr.labs.mlnx [10.210.16.112]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id 046GOSA8023223; Wed, 6 May 2020 19:24:28 +0300 From: Michael Baum To: dev@dpdk.org Cc: Matan Azrad , Viacheslav Ovsiienko , stable@dpdk.org Date: Wed, 6 May 2020 16:24:06 +0000 Message-Id: <1588782246-16271-1-git-send-email-michaelba@mellanox.com> X-Mailer: git-send-email 1.8.3.1 Subject: [dpdk-stable] [PATCH] net/mlx5: fix meter color register consideration X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" The mlx5_flow_get_reg_id() function translates tag ID to register from the registers that are supported and available for use. The user does not know which register is available at a time and therefore there is an array that represents mapping to the available registers. Usually the free registers are continuous in the flow_mreg_c array but sometimes the mtr_color_reg register is between them and it must be skipped and the next register returned, in which case the function returns the mapping of the next entity in the array. When the function reads from the next entity in the array, it does not check whether such an entity exists and in some situation invalid access to memory occurs beyond the array boundaries. So, when all the registers are valid from HW perspective and the meter color register is not the default, the tag id 5 causes an out of bound access. Validate registers availability when meter color register is not the default. Coverity issue: 146355 Fixes: 792e749e92d5 ("net/mlx5: fix register usage in meter") Cc: stable@dpdk.org Signed-off-by: Michael Baum Acked-by: Matan Azrad --- drivers/net/mlx5/mlx5_flow.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c index 01376f3..08c7cdf 100644 --- a/drivers/net/mlx5/mlx5_flow.c +++ b/drivers/net/mlx5/mlx5_flow.c @@ -442,6 +442,10 @@ struct mlx5_flow_tunnel_info { */ if (skip_mtr_reg && config->flow_mreg_c [id + start_reg - REG_C_0] >= priv->mtr_color_reg) { + if (id >= (REG_C_7 - start_reg)) + return rte_flow_error_set(error, EINVAL, + RTE_FLOW_ERROR_TYPE_ITEM, + NULL, "invalid tag id"); if (config->flow_mreg_c [id + 1 + start_reg - REG_C_0] != REG_NONE) return config->flow_mreg_c -- 1.8.3.1